Verisign bogosity {Scanned by HJMS}
Remco Barendse
mailscanner at BARENDSE.TO
Tue Sep 16 16:15:51 IST 2003
Would it help to put their ip address in our /etc/mail/access list on
REJECT? This will at least prevent mail from domains that do
not resolve or that resolve to verisign is rejected, right??
On Tue, 16 Sep 2003, Furnish, Trever G wrote:
> Again, what we need is mirrors that refuse to carry that record. But even
> if some of the other root server operators were to modify their daemons to
> make it possible to refuse selected records during a zone transfer, I
> suspect Verisign would cut off their transfer access when they realize the
> mirror isn't carrying the complete zone.
>
> > -----Original Message-----
> > From: Stijn Jonker [mailto:SJCJonker at SJC.NL]
> > Sent: Tuesday, September 16, 2003 9:46 AM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: Verisign bogosity {Scanned by HJMS}
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Remco and others,
> >
> > If I understand the verisign hijack/fix/option correctly they
> > added and
> > wildcard record in the root .com zone. As a result the "authoritive"
> > servers for any non existant zone/host are the gtld root servers.
> >
> > By blocking the single specific address you are only blocking the data
> > flows from and to the particulair host.
> >
> > some tests:
> > [sjonker at ph-wks-01 sjonker]$ dig ns non-existant-domain-jskjdlk.com
> >
> > ; <<>> DiG 9.2.1 <<>> ns non-existant-domain-jskjdlk.com
> > ;; global options: printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9980
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;non-existant-domain-jskjdlk.com. IN NS
> >
> > ;; AUTHORITY SECTION:
> > com. 10800 IN SOA a.gtld-servers.net.
> > nstld.verisign-grs.com. 2003091600 1800 900 604800 86400
> >
> > ;; Query time: 135 msec
> > ;; SERVER: 192.168.175.101#53(192.168.175.101)
> > ;; WHEN: Tue Sep 16 16:43:24 2003
> > ;; MSG SIZE rcvd: 122
> >
> > after an blacklist for 64.94.110.11
> >
> > any non existant entry still resolvs to the above address.
> >
> > I don't think there is an easy way to block the resolving.
> >
> > Remco Barendse said the following on 09/16/2003 04:30 PM:
> > | The firewall rule would block access to the Verisign
> > server, therefore the
> > | domain will never resolve (this is the way it ought to be)
> > because your
> > | dns server cannot reach it (supposing you are running your own name
> > | servers!).
> > |
> > | Remco
> > |
> > |
> > | On Tue, 16 Sep 2003, Rose, Bobby wrote:
> > |
> > |
> > |>How would a firewall stop this? A firewall won't keep the MTA from
> > |>resolving the bogus domain to that IP correct? It also
> > wouldn't keep SA
> > |>from resolving it as part of the dns checks.
> > |>
> > |>-----Original Message-----
> > |>From: Remco Barendse [mailto:mailscanner at BARENDSE.TO]
> > |>Sent: Tuesday, September 16, 2003 9:59 AM
> > |>To: MAILSCANNER at JISCMAIL.AC.UK
> > |>Subject: Re: Verisign bogosity
> > |>
> > |>
> > |>I have created a firewall rule that silently drops all
> > packets sent to
> > |>this ip.
> > |>
> > |>Mail seems to be flowing normally and all fake .com crap is still
> > |>rejected.
> > |>
> > |>On Tue, 16 Sep 2003, Jeff A. Earickson wrote:
> > |>
> > |>
> > |>>Gang,
> > |>> Hold that thought... I added 64.94.110.11 to my blackhole list,
> > |>>and things slowly ground to a halt over the next hour.
> > Hmmm.. I had
> > |>>to back this out of my DNS. Wonder why it didn't work? I have
> > |>>notified Verisign that I won't be renewing my certs with them in
> > |>>October.
> > |>>
> > |>>--- Jeff Earickson
> > |>>
> > |>>On Tue, 16 Sep 2003, Jeff A. Earickson wrote:
> > |>>
> > |>>
> > |>>>Date: Tue, 16 Sep 2003 08:40:09 -0400
> > |>>>From: Jeff A. Earickson <jaearick at colby.edu>
> > |>>>Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> > |>>>To: MAILSCANNER at JISCMAIL.AC.UK
> > |>>>Subject: Verisign bogosity
> > |>>>
> > |>>>Gang,
> > |>>>
> > |>>>If you run a modern version of bind, simply blackhole the Verisign
> > |>>>number. This is what I have in my bind boot files:
> > |>>>
> > |>>> #---blackhole queries from RFC1918 private addresses
> > |>>> #---routes to them are never advertised, so don't waste time
> > |>>> #---see p. 284, DNS&Bind version 4
> > |>>> #---64.94.110.11 is Verisign's bogus server.
> > |>>> blackhole {
> > |>>> 10/8;
> > |>>> 172.16/12;
> > |>>> 192.168/16;
> > |>>> 64.94.110.11;
> > |>>> };
> > |>>>
> > |>>>I've changed my bind configs to do this, I suggest this ASAP.
> > |>>>
> > |>>>-----------------------------------
> > |>>>Jeff A. Earickson, Ph.D
> > |>>>Senior UNIX Sysadmin and Email Guru
> > |>>>Information Technology Services
> > |>>>Colby College, 4214 Mayflower Hill,
> > |>>>Waterville ME, 04901-8842
> > |>>>phone: 207-872-3659 (fax = 3076)
> > |>>>-----------------------------------
> > |>>>
> > |>>
> >
> > - --
> > Met Vriendelijke groet/Yours Sincerely
> > Stijn Jonker <SJCJonker at sjc.nl>
> > -----BEGIN PGP SIGNATURE-----
> >
> > iD8DBQE/ZyIOjU9r45tKnOARAkyUAJ9z7JCjWFMX7GcpC0UCn1s0gr9uZACgurC0
> > /RBsE2gOM4Su5dUQ0bzTwS0=
> > =jomz
> > -----END PGP SIGNATURE-----
> >
>
More information about the MailScanner
mailing list